""ET MALWARE All Numerical .ru Domain HTTP Request Likely Malware Related""
SID: 2012649
Revision: 5
Class Type: misc-activity
Metadata: created_at 2011_04_08, updated_at 2019_08_14
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: established,to_server
Contents:
-
Value: "Host|3a| "
-
Value: ".ru|0d 0a|"
-
Value: !"101.ru"
-
Value: !"9366858.ru"
Within: 25
PCRE: "/Host\x3A\x20[^a-z]*?[0-9]{2,30}\x2Eru\x0d\x0a/Hi"
Special Options:
-
http_header
-
http_header
-
fast_pattern
-
http_header
-
http_header